Merge branch '2.8'

colinodell · colinodell · commit 238191e5c8ae · 2026-03-05T16:39:20.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,14 @@ Updates should follow the [Keep a CHANGELOG](https://keepachangelog.com/) princi
 
 ## [Unreleased][unreleased]
 
+## [2.8.1] - 2026-03-05
+
+This is a **security release** to address an issue where `DisallowedRawHtml` can be bypassed, resulting in a possible cross-site scripting (XSS) vulnerability.
+
+### Fixed
+- Fixed `DisallowedRawHtmlRenderer` not blocking raw HTML tags with trailing ASCII whitespace (GHSA-4v6x-c7xx-hw9f)
+- Fixed PHP 8.5 deprecation (#1107)
+
 ## [2.8.0] - 2025-11-26
 
 ### Added
@@ -717,7 +725,8 @@ No changes were introduced since the previous release.
     - Alternative 1: Use `CommonMarkConverter` or `GithubFlavoredMarkdownConverter` if you don't need to customize the environment
     - Alternative 2: Instantiate a new `Environment` and add the necessary extensions yourself
 
-[unreleased]: https://github.com/thephpleague/commonmark/compare/2.8.0...HEAD
+[unreleased]: https://github.com/thephpleague/commonmark/compare/2.8.1...HEAD
+[2.8.1]: https://github.com/thephpleague/commonmark/compare/2.8.0...2.8.1
 [2.8.0]: https://github.com/thephpleague/commonmark/compare/2.7.1...2.8.0
 [2.7.1]: https://github.com/thephpleague/commonmark/compare/2.7.0...2.7.1
 [2.7.0]: https://github.com/thephpleague/commonmark/compare/2.6.2...2.7.0
diff --git a/composer.json b/composer.json
@@ -42,9 +42,9 @@
         "phpstan/phpstan": "^1.8.2",
         "phpunit/phpunit": "^9.5.21 || ^10.5.9 || ^11.0.0",
         "scrutinizer/ocular": "^1.8.1",
-        "symfony/finder": "^5.3 | ^6.0 | ^7.0",
-        "symfony/process": "^5.4 | ^6.0 | ^7.0",
-        "symfony/yaml": "^2.3 | ^3.0 | ^4.0 | ^5.0 | ^6.0 | ^7.0",
+        "symfony/finder": "^5.3 | ^6.0 | ^7.0 || ^8.0",
+        "symfony/process": "^5.4 | ^6.0 | ^7.0 || ^8.0",
+        "symfony/yaml": "^2.3 | ^3.0 | ^4.0 | ^5.0 | ^6.0 | ^7.0 || ^8.0",
         "unleashedtech/php-coding-standard": "^3.1.1",
         "vimeo/psalm": "^4.24.0 || ^5.0.0 || ^6.0.0"
     },
diff --git a/docs/2.x/customization/rendering.md b/docs/2.x/customization/rendering.md
@@ -12,8 +12,8 @@ redirect_from:
   - /2.5/customization/rendering/
   - /2.6/customization/rendering/
   - /2.7/customization/rendering/
-- /customization/block-rendering/
-- /customization/inline-rendering/
+  - /customization/block-rendering/
+  - /customization/inline-rendering/
 ---
 
 # Custom Rendering
diff --git a/src/Extension/DisallowedRawHtml/DisallowedRawHtmlRenderer.php b/src/Extension/DisallowedRawHtml/DisallowedRawHtmlRenderer.php
@@ -45,7 +45,7 @@ public function render(Node $node, ChildNodeRendererInterface $childRenderer): ?
             return $rendered;
         }
 
-        $regex = \sprintf('/<(\/?(?:%s)[ \/>])/i', \implode('|', \array_map('preg_quote', $tags)));
+        $regex = \sprintf('/<(\/?(?:%s)[\s\/>])/i', \implode('|', \array_map('preg_quote', $tags)));
 
         // Match these types of tags: <title> </title> <title x="sdf"> <title/> <title />
         return \preg_replace($regex, '&lt;$1', $rendered);
diff --git a/src/Util/UrlEncoder.php b/src/Util/UrlEncoder.php
@@ -56,7 +56,7 @@ public static function unescapeAndEncode(string $uri): string
                 }
             }
 
-            if (\ord($code) < 128) {
+            if (\strlen($code) === 1 && \ord($code) < 128) {
                 $result .= self::ENCODE_CACHE[\ord($code)];
                 continue;
             }
diff --git a/tests/unit/Extension/DisallowedRawHtml/DisallowedRawHtmlRendererTest.php b/tests/unit/Extension/DisallowedRawHtml/DisallowedRawHtmlRendererTest.php
@@ -71,6 +71,16 @@ public static function dataProviderForTestWithDefaultSettings(): iterable
         yield ['<script>', '&lt;script>'];
         yield ['<plaintext>', '&lt;plaintext>'];
 
+        // Newline/whitespace bypass attempts (security fix)
+        yield ['<script   >', '&lt;script   >'];
+        yield ["<script\n>", "&lt;script\n>"];
+        yield ["<script\t>", "&lt;script\t>"];
+        yield ["<script\r\n>", "&lt;script\r\n>"];
+        yield ["<iframe\nwidth=\"560\">", "&lt;iframe\nwidth=\"560\">"];
+
+        // Ensure non-disallowed tags with similar names are NOT filtered
+        yield ['<scriptfoo>', '<scriptfoo>'];
+
         // Tags not escaped by default
         yield ['<strong>', '<strong>'];
     }
@@ -107,6 +117,11 @@ public static function dataProviderForTestWithCustomSettings(): iterable
         yield ['<strong/>', '&lt;strong/>'];
         yield ['<strong />', '&lt;strong />'];
 
+        // Newline bypass with custom config
+        yield ['<strong   >', '&lt;strong   >'];
+        yield ["<strong\n>", "&lt;strong\n>"];
+        yield ["<strong\t>", "&lt;strong\t>"];
+
         // Defaults that I didn't include in my custom config
         yield ['<title>', '<title>'];
         yield ['<textarea>', '<textarea>'];

Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ public function render(Node $node, ChildNodeRendererInterface $childRenderer): ?`
`45`	`45`	`return $rendered;`
`46`	`46`	`}`
`47`	`47`
`48`		`- $regex = \sprintf('/<(\/?(?:%s)[ \/>])/i', \implode('\|', \array_map('preg_quote', $tags)));`
	`48`	`+ $regex = \sprintf('/<(\/?(?:%s)[\s\/>])/i', \implode('\|', \array_map('preg_quote', $tags)));`
`49`	`49`
`50`	`50`	`// Match these types of tags: <title> </title> <title x="sdf"> <title/> <title />`
`51`	`51`	`return \preg_replace($regex, '<$1', $rendered);`
Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ public static function unescapeAndEncode(string $uri): string`
`56`	`56`	`}`
`57`	`57`	`}`
`58`	`58`
`59`		`- if (\ord($code) < 128) {`
	`59`	`+ if (\strlen($code) === 1 && \ord($code) < 128) {`
`60`	`60`	`$result .= self::ENCODE_CACHE[\ord($code)];`
`61`	`61`	`continue;`
`62`	`62`	`}`